<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SSSD and Active Directory</title>
<link rel="stylesheet" type="text/css" href="../C.css">
<script type="text/javascript" src="../jquery.js"></script><script type="text/javascript" src="../jquery.syntax.js"></script><script type="text/javascript" src="../yelp.js"></script>
</head>
<body id="home">
<!--<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">
        _uacct = "UA-1018242-8";
        urchinTracker();
      </script><script>
      function englishPageVersion() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = "index.html.en";
        } else {
                window.location = href.replace(/\.html.*/, ".html.en");
        }
         return false;
      }
      function browserPreferredLanguage() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = href;
        } else {
                window.location = href.replace(/\.html.*/, ".html");
        }
        return false;
      }
      </script>--><div id="container">
<div id="container-inner">
<div id="mothership"><ul>
<li><a href="https://partners.ubuntu.com">Partners</a></li>
<li><a href="https://www.ubuntu.com/support/community-support">Support</a></li>
<li><a href="https://community.ubuntu.com">Community</a></li>
<li><a href="https://www.ubuntu.com">Ubuntu.com</a></li>
</ul></div>
<div id="header">
<h1 id="ubuntu-header"><a href="https://help.ubuntu.com/">Ubuntu Documentation</a></h1>
<ul id="main-menu">
<li><a class="main-menu-item current" href="https://help.ubuntu.com/">Official Documentation</a></li>
<li><a href="https://help.ubuntu.com/community/CommunityHelpWiki">Community Help Wiki</a></li>
<li><a href="https://community.ubuntu.com/t/contribute/26">Contribute</a></li>
</ul>
</div>
<div id="menu-search"><div id="search-box">
<noscript><form action="https://www.google.com/cse" id="cse-search-box"><div>
<input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq"><input type="hidden" name="ie" value="UTF-8"><input type="text" name="q" size="21"><input type="submit" name="sa" value="Search">
</div></form></noscript><!--
<script>
                document.write('<form action="https://help.ubuntu.com/search.html" id="cse-search-box">');
                document.write('  <div>');
                document.write('    <input type="hidden" name="cof" value="FORID:9">');
                document.write('    <input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq">');
                document.write('    <input type="hidden" name="ie" value="UTF-8">');
                document.write('    <input type="text" name="q" size="21">');
                document.write('    <input type="submit" name="sa" value="Search">');
                document.write('  </div>');
                document.write('</form>');
              </script>-->
</div></div>
<div class="trails"><div class="trail">
<a href="https://help.ubuntu.com/18.04" class="trail">Ubuntu 18.04</a> » <a class="trail" href="../index.html" title="Ubuntu Server Guide">Ubuntu Server Guide</a> » <a class="trail" href="network-authentication.html" title="Network Authentication">Network Authentication</a> » </div></div>
<div id="cwt-content" class="clearfix content-area"><div id="page">
<div id="content">
<div class="links nextlinks">
<a class="nextlinks-prev" href="kerberos-ldap.html" title="Kerberos and LDAP">Previous</a><a class="nextlinks-next" href="../dns/dns.html" title="Domain Name Service (DNS)">Next</a>
</div>
<div class="hgroup"><h1 class="title">SSSD and Active Directory</h1></div>
<div class="region">
<div class="contents"><p class="para">
    	This section describes the use of sssd to authenticate user logins against an Active Directory via using sssd's "ad" provider.  In previous versions of sssd, it was possible to authenticate using the "ldap" provider.  However, when authenticating against a Microsoft Windows AD Domain Controller, it was generally necessary to install the POSIX AD extensions on the Domain Controller.  The "ad" provider simplifies the configuration and requires no modifications to the AD structure.
    </p></div>
<div class="links sectionlinks" role="navigation"><ul>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-requirements" title="Prerequisites, Assumptions, and Requirements">Prerequisites, Assumptions, and Requirements</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-installation" title="Software Installation">Software Installation</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-kerberos" title="Kerberos Configuration">Kerberos Configuration</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-samba" title="Samba Configuration">Samba Configuration</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-sssdconfig" title="SSSD Configuration">SSSD Configuration</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-nsswitch" title="Verify nsswitch.conf Configuration">Verify nsswitch.conf Configuration</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-hosts" title="Modify /etc/hosts">Modify /etc/hosts</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-join" title="Join the Active Directory">Join the Active Directory</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-test" title="Test Authentication">Test Authentication</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-mkhomedir" title="Home directories with pam_mkhomedir (optional)">Home directories with pam_mkhomedir (optional)</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-desktop" title="Desktop Ubuntu Authentication">Desktop Ubuntu Authentication</a></li>
<li class="links"><a class="xref" href="sssd-ad.html#sssd-ad-resources" title="Resources">Resources</a></li>
</ul></div>
<div class="sect2 sect" id="sssd-ad-requirements"><div class="inner">
<div class="hgroup"><h2 class="title">Prerequisites, Assumptions, and Requirements</h2></div>
<div class="region"><div class="contents"><div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
        		<p class="para">This guide does not explain Active Directory, how it works, how to set one up, or how to maintain it.  It may not provide <span class="quote">“best practices”</span> for your environment.</p>
</li>
<li class="list itemizedlist">
				<p class="para">This guide assumes that a working Active Directory domain is already configured.</p>
</li>
<li class="list itemizedlist">
				<p class="para">The domain controller is acting as an authoritative DNS server for the domain.</p>
</li>
<li class="list itemizedlist">
				<p class="para">The domain controller is the primary DNS resolver as specified in  <span class="file filename">/etc/resolv.conf</span>.</p>
			</li>
<li class="list itemizedlist">
				<p class="para">The appropriate <span class="em emphasis">_kerberos</span>, <span class="em emphasis">_ldap</span>, <span class="em emphasis">_kpasswd</span>, etc. entries are configured in the DNS zone (see Resources section for external links).</p>
</li>
<li class="list itemizedlist">
				<p class="para">System time is synchronized on the domain controller (necessary for Kerberos).</p>
</li>
<li class="list itemizedlist">
				<p class="para">The domain used in this example is <span class="em emphasis">myubuntu.example.com</span> .</p>
</li>
</ul></div></div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-installation"><div class="inner">
<div class="hgroup"><h2 class="title">Software Installation</h2></div>
<div class="region"><div class="contents">
<p class="para">The following packages are needed: <span class="em emphasis">krb5-user</span>, <span class="em emphasis">samba</span>, <span class="em emphasis">sssd</span>, and <span class="em emphasis">ntp</span>.  Samba needs to be installed, even if the system is not exporting shares. The Kerberos realm and FQDN or IP of the domain controllers are needed for this step.</p>
<p class="para">Install these packages now.
		</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo apt install krb5-user samba sssd chrony</span></pre></div>
<p class="para">See the next section for the answers to the questions asked by the <span class="em emphasis">krb5-user</span> postinstall script.</p>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-kerberos"><div class="inner">
<div class="hgroup"><h2 class="title">Kerberos Configuration</h2></div>
<div class="region"><div class="contents">
<p class="para">The installation of <span class="em emphasis">krb5-user</span> will prompt for the realm name (in ALL UPPERCASE), the kdc server (i.e. domain controller) and admin server (also the domain controller in this example.)  This will write the [realm] and [domain_realm] sections in <span class="file filename">/etc/krb5.conf</span>.  These sections may not be necessary if domain autodiscovery is working.  If not, then both are needed.</p>
<p class="para">If the domain is <span class="em emphasis">myubuntu.example.com</span>, enter the realm as <span class="em emphasis">MYUBUNTU.EXAMPLE.COM</span>
		</p>
<p class="para">Optionally, edit <span class="em emphasis">/etc/krb5.conf</span> with a few additional settings to specify Kerberos ticket lifetime (these values are safe to use as defaults):</p>
<div class="code"><pre class="contents ">[libdefaults]

default_realm = MYUBUNTU.EXAMPLE.COM
ticket_lifetime = 24h #
renew_lifetime = 7d
		</pre></div>
<p class="para">If default_realm is not specified, it may be necessary to log in with <span class="quote">“username@domain”</span> instead of <span class="quote">“username”</span>.</p>
<p class="para">The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail.  Ideally, the domain controller server itself will provide the NTP service. Edit <span class="file filename">/etc/chrony/chrony.conf</span>:</p>
<div class="code"><pre class="contents ">server dc.myubuntu.example.com
</pre></div>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-samba"><div class="inner">
<div class="hgroup"><h2 class="title">Samba Configuration</h2></div>
<div class="region"><div class="contents">
<p class="para">Samba will be used to perform netbios/nmbd services related to Active Directory authentication, even if no file shares are exported.  Edit the file /etc/samba/smb.conf and add the following to the <span class="em emphasis">[global]</span> section:</p>
<div class="code"><pre class="contents ">[global]

workgroup = MYUBUNTU
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = MYUBUNTU.EXAMPLE.COM
security = ads
</pre></div>
<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents"><p class="para">Some guides specify that "password server" should be specified and pointed to the domain controller.  This is only necessary if DNS is not properly set up to find the DC.  By default, Samba will display a warning if "password server" is specified with "security = ads".</p></div></div></div></div>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-sssdconfig"><div class="inner">
<div class="hgroup"><h2 class="title">SSSD Configuration</h2></div>
<div class="region"><div class="contents">
<p class="para">There is no default/example config file for <span class="file filename">/etc/sssd/sssd.conf</span> included in the sssd package.  It is necessary to create one.  This is a minimal working config file:</p>
<div class="code"><pre class="contents ">[sssd]
services = nss, pam
config_file_version = 2
domains = MYUBUNTU.EXAMPLE.COM

[domain/MYUBUNTU.EXAMPLE.COM]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com

# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM

# Enumeration is discouraged for performance reasons.
# enumerate = true
</pre></div>
<p class="para">After saving this file, set the ownership to root and the file permissions to 600:</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chown root:root /etc/sssd/sssd.conf</span></pre></div>
<div class="screen"><pre class="contents "><span class="cmd command">sudo chmod 600 /etc/sssd/sssd.conf</span></pre></div>
<p class="para">If the ownership or permissions are not correct, sssd will refuse to start.</p>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-nsswitch"><div class="inner">
<div class="hgroup"><h2 class="title">Verify nsswitch.conf Configuration</h2></div>
<div class="region"><div class="contents">
<p class="para">The post-install script for the sssd package makes some modifications to /etc/nsswitch.conf automatically.  It should look something like this:</p>
<div class="code"><pre class="contents ">passwd:         compat sss
group:          compat sss
...
netgroup:       nis sss
sudoers:        files sss
</pre></div>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-hosts"><div class="inner">
<div class="hgroup"><h2 class="title">Modify /etc/hosts</h2></div>
<div class="region"><div class="contents">
<p class="para">Add an alias to the localhost entry in /etc/hosts specifying the FQDN.  For example:</p>
<div class="code"><pre class="contents ">192.168.1.10 myserver myserver.myubuntu.example.com</pre></div>
<p class="para">This is useful in conjunction with dynamic DNS updates.</p>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-join"><div class="inner">
<div class="hgroup"><h2 class="title">Join the Active Directory</h2></div>
<div class="region"><div class="contents">
<p class="para">Now, restart chrony and samba and start sssd.</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo systemctl restart chrony.service</span>
<span class="cmd command">sudo systemctl restart smbd.service nmbd.service</span> 
<span class="cmd command">sudo systemctl start sssd.service</span></pre></div>
<p class="para">Test the configuration by obtaining a Kerberos ticket:</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo kinit Administrator</span></pre></div>
<p class="para">Verify the ticket with:</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo klist</span></pre></div>
<p class="para">If there is a ticket with an expiration date listed, then it is time to join the domain:</p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo net ads join -k</span></pre></div>
<p class="para">A warning about "No DNS domain configured. Unable to perform DNS Update." probably means that there is no (correct) alias in <span class="file filename">/etc/hosts</span>, and the system could not provide its own FQDN as part of the Active Directory update.  This is needed for dynamic DNS updates.  Verify the alias in <span class="file filename">/etc/hosts</span> described in "Modify /etc/hosts" above.</p>
<p class="para">(The message "NT_STATUS_UNSUCCESSFUL" indicates the domain join failed and something is incorrect.  Review the prior steps before proceeding).</p>
<p class="para">Here are a couple of (optional) checks to verify that the domain join was successful. Note that if the domain was successfully joined but one or both of these steps fail, it may be necessary to wait 1-2 minutes and try again.  Some of the changes appear to be asynchronous.</p>
<p class="para">Verification option #1:</p>
<p class="para">Check the default Organizational Unit for computer accounts in the Active Directory to verify that the computer account was created.  (Organizational Units in Active Directory is a topic outside the scope of this guide).</p>
<p class="para">Verification option #2</p>
<p class="para">Execute this command for a specific AD user (e.g. administrator)</p>
<div class="screen"><pre class="contents "><span class="cmd command">getent passwd username</span></pre></div>
<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents"><p class="para">If <span class="em emphasis">enumerate = true</span> is set in <span class="file filename">sssd.conf</span>, <span class="em emphasis">getent passwd</span> with no username argument will list all domain users.  This may be useful for testing, but is slow and not recommended for production.</p></div></div></div></div>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-test"><div class="inner">
<div class="hgroup"><h2 class="title">Test Authentication</h2></div>
<div class="region"><div class="contents">
<p class="para">It should now be possible to authenticate using an Active Directory User's credentials:</p>
<div class="screen"><pre class="contents "><span class="cmd command">su - username</span></pre></div>
<p class="para">If this works, then other login methods (getty, ssh) should also work.</p>
<p class="para">If the computer account was created, indicating that the system was "joined" to the domain, but authentication is unsuccessful, it may be helpful to review <span class="file filename">/etc/pam.d</span> and <span class="file filename">nssswitch.conf</span> as well as the file changes described earlier in this guide.</p>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-mkhomedir"><div class="inner">
<div class="hgroup"><h2 class="title">Home directories with pam_mkhomedir (optional)</h2></div>
<div class="region"><div class="contents">
<p class="para">When logging in using an Active Directory user account, it is likely that user has no home directory.  This can be fixed with pam_mkdhomedir.so, which will create the user's home directory on login.  Edit <span class="file filename">/etc/pam.d/common-session</span>, and add this line directly after <span class="em emphasis">session required pam_unix.so:</span></p>
<div class="code"><pre class="contents ">session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
</pre></div>
<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents"><p class="para">This may also need <span class="em emphasis">override_homedir</span> in <span class="file filename">sssd.conf</span> to function correctly, so make sure that's set.</p></div></div></div></div>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-desktop"><div class="inner">
<div class="hgroup"><h2 class="title">Desktop Ubuntu Authentication</h2></div>
<div class="region"><div class="contents">
<p class="para">It is possible to also authenticate logins to Ubuntu Desktop using Active Directory accounts.  The AD accounts will not show up in the pick list with local users, so lightdm will need to be modified.  Edit the file <span class="file filename">/etc/lightdm/lightdm.conf.d/50-unity-greeter.conf</span> and append the following two lines:</p>
<div class="code"><pre class="contents ">greeter-show-manual-login=true
greeter-hide-users=true
</pre></div>
<p class="para">Reboot to restart lightdm.  It should now be possible to log in using a domain account using either <span class="em emphasis">username</span> or <span class="em emphasis">username/username@domain</span> format.</p>
</div></div>
</div></div>
<div class="sect2 sect" id="sssd-ad-resources"><div class="inner">
<div class="hgroup"><h2 class="title">Resources</h2></div>
<div class="region"><div class="contents"><div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist"><p class="para"><a href="https://github.com/SSSD/sssd" class="ulink" title="https://github.com/SSSD/sssd">GitHub SSSD Project</a></p></li>
<li class="list itemizedlist"><p class="para"><a href="https://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx" class="ulink" title="https://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx">Active Directory DNS Zone Entries</a></p></li>
<li class="list itemizedlist"><p class="para"><a href="http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html" class="ulink" title="http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html">Kerberos config options</a></p></li>
</ul></div></div></div>
</div></div>
</div>
<div class="links nextlinks">
<a class="nextlinks-prev" href="kerberos-ldap.html" title="Kerberos and LDAP">Previous</a><a class="nextlinks-next" href="dns.html" title="Domain Name Service (DNS)">Next</a>
</div>
<div class="clear"></div>
</div>
<div id="pagebottom"></div>
</div></div>
</div>
<div id="footer"><p>The material in this document is available under a free license, see <a href="https://help.ubuntu.com/legal.html">Legal</a> for details.<br>
          For information on contributing see the <a href="https://wiki.ubuntu.com/DocumentationTeam">Ubuntu Documentation Team wiki page</a>.
          To report errors in this serverguide documentation, <a href="https://bugs.launchpad.net/serverguide">file a bug report</a>.</p></div>
</div>
</body>
</html>
